Two more weeks left to take the JNCIP-SEC exam, or I will lose my JNCIS-SEC credentials. I have a fully loaded SRX320 cluster (with advanced feature licenses) and a vSRX in place so I need to lab up quickly. First feature on the list is Juniper Enhanced Web filtering.

Before you begin the configuration, make sure you meet the following prerequisites:

The device has a valid wf_key_websense_ewf license

The egress interface has internet connectivity

The device has working name-servers defined

If you are enabling the feature on a virtual router, be sure to define the VR under [edit security utm feature-profile web-filtering]

To activate the Juniper Enhanced Web Filtering feature, enter the following command:

Before we configure the Websense categories, we should define custom whitelists and blacklists, which can be used to overrule unexpected results from the automated Websense categorization.

Under the UTM custom-objects, we’ll create an URL pattern for one of our favorite networking-related forums and for a blacklisted adult site. These are then addded to custom black/whitelist categories.

As for the Enhanced Web-filtering example, I’ll create one profile for standard internet access called “WF-DefaultInternetAccess”. Adult content and malicious URLs/IP addresses will be blocked by default and some ‘undesirable’ categories will be allowed, yet a security event will be logged. The default action will be set to “permit”.

That’s pretty much all there is to it for a basic EWF setup. There are many more nerdknobs you can tune but I’ll stick to the basics for my JNCIP-SEC studies.

Bear in mind that the URL filter only works for HTTP traffic and most of the web these day is on SSL and using CDN networks, so it’s very hard to get a good match on SSL traffic. This can be solved by using SSL Forward Proxy or relying more on Layer-7 AppID with custom application signatures.

My network is running IPv6 with SLAAC and the JunOS version on my firewall does not support RDNSS, so I needed a full-featured DHCP server to hand out DNS information.

I already have a Raspberry Pi running isc-dhcp-server for my IPv4 network so I thought it would be simple to add IPv6 support. Unfortunately it was not – the ISC DHCP server does not support dual-stack natively so you need to run two independent services in parallel.

The official documentation for this is very limited and outdated, so it took a lot of blogs and forum posts to get it working, so perhaps this post will help others in their quest for DHCPv6 support 🙂

I am assuming that you have already installed and configured the DHCP server for IPv4. If not, you can do so by entering the following command.

INIT file – /etc/init.d/isc-dhcp-server6

This will create a new file isc-dhcp-server6 – use nano or vi to edit it.

Some of the values in the ### INIT INFO ### section need to modified to represent the new dhcpv6 service. I’ve also modified the value for the default config file, DHCPD_DEFAULT, to be /etc/default/isc-dhcp-server6 – more on that file later.

The script below shows only the first part of the script so don’t copy-paste.

Config file – /etc/dhcp/dhcpd6.conf

This file, just like in the IPv4 version, contains the global DHCP options and the subnet statements, reservations, etc. I am using it in conjunction with SLAAC, so DHCPv6 is only used to hand out the DNS info.

Note – For IPv6 subnets, you need to use the subnet6 statement.

# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed.
ddns-update-style none;
# Option definitions common to all supported networks...
default-lease-time 600;
max-lease-time 7200;
# This DHCP server is the official DHCP server for the local network
authoritative;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;
# Subnet declaration
subnet6 2a02:1234:420a:112d::/64 {
option dhcp6.name-servers 2a02:1234:420a:100b::10, 2001:4860:4860::8888;
option dhcp6.domain-search "netprobe.local";
}
subnet6 2a02:1234:420a:100b::/64 {
option dhcp6.name-servers 2a02:1234:420a:100b::10, 2001:4860:4860::8888;
option dhcp6.domain-search "netprobe.local";
}

The DHCP6 leases file

It’s possible the service will not start because this file does not exist:

In my previous post I configured IPv6 with Prefix Delegation. IPv6-PD is alright for a simple topology but it is very, very limiting and seems quite complicated to implement when you have many subnets in a complex topology.

This post will cover static IPv6 routing. Ideally I would have implemented OSPFv3 to handle dynamic routing but sadly, my switches do not support that feature, even with the EFL license.

Lab Topology

Here is a small part of my network which I’ll be using to test it.

Notice that the client VLAN is the only segment with a globally routed IPv6 address. With IPv6, it is perfectly fine to use only link-local (non-routed) addressing on your transit networks, and in fact it has several benefits! If you’re curious what those benefits are, you can read all about it in RFC7407 by Eric Vyncke and Michael Behringer.

Addressing configuration

My provider has assigned me two static prefixes to me. These are not the real ones btw 🙂

Enabling Router Advertisements

To enable dynamic address assignments (SLAAC) for the clients behind it, we also need to enable router advertisements on this interface. The other-stateful-configuration command will add the O-Flag to the advertisements, so we can later add the additional DNS information via DHCPv6.

I’m currently setting up IPv6 in my own office so I thought it would be worth documenting the configuration I’m adding on my Juniper equipment to make it all work.

I have an internet subscription with a static IPv4 address and also included with it is a /48 static IPv6 prefix. There are two ways I can set it up: static configuration or “semi-automatic” by using Prefix Delegation. This article discusses the latter and in my next post I will document the static configuration, as that’s what I will ultimately be using.

First Things First – Enabling IPv6 Forwarding

Before you can start using IPv6 on the SRX, the device needs to be explicitly configured to forward V6 traffic. This because, by default, the forwarding mode for IPv6 is set to drop. You can verify this on the command line – as shown below, the default forwarding mode for Inet6 traffic is drop:

Configuring IPv6 with Prefix Delegation

Prefix delegation is a simple method to automate the assignment of IPv6 prefixes on subscriber equipment. The CPE (in my case the SRX) informs the upstream router, called the Broadband Network Gateway (BNG) that it wants to use Prefix Delegation. The BNG retrieves the prefix for the subscriber and announces the /48 back to the CPE, after which both sides confirm the prefix allocation. The CPE will then automatically divide the /48 into smaller /64 subnets on the LAN interfaces it has configured for PD Router Advertisements.

If you want to find out exactly how it works, you can find more information in RFC3633

First, we configure the outside interface, pp0.0 in my case. Notice that we are configuring this under family inet6.

The DHCPv6 client is activated on the outside, ISP-facing interface. Some PD-specific configuration is added and we will request the DNS server addresses from the provider.

Now, this part seems to be working fine, but you may notice that the client has not received any IPv6 name servers.
This is because the client uses SLAAC to configure its v6 address based on the Router Advertisements, but it still relies on DHCPv6 to receive any special information such as DNS servers.

To make this work, we need to add a few more bits of configuration to use the SRX as a a DHCPv6 server.

Handing out DNS servers via DHCPv6

First, configure the DHCPv6 pool with the prefix and the DNS server you want to hand out. I’m using Google DNS here.

Now, if I was running a fairly simple network with just a few subnets, I would be using Prefix Delegation but I also have a couple of L3 devices behind this firewall. Extending PD all the way down would make it overly complex, so I’ll go for static configuration with OSPFv3 in the next article.

Please let me know in the comments if this configuration did not work for you!

The Juniper Virtual Chassis technology allows you to combine multiple physical switches into one logical switch stack, which reduces the management overhead of dealing with many switches. Because all members are acting as a single device, with a proprietary control protocol underneath, there is no need for Spanning Tree and its blocked links. It also has dual routing engine support, albeit with some feature limitations on the EX2200 platform.

Unlike the high-end Juniper switches, the EX2200 does not have dedicated virtual-chassis ports either, so you are limited to using the on-board ethernet ports. The cross-member bandwidth should be OK for basic access deployments though, so here’s how to set it up.

First, gather the serial numbers of all your switches. There are several commands that will show you the serial. I’ve used show chassis hardware

Do this for all your switches and copy them to notepad. You will need them later. Mine are indicated on the diagram below.

Next, we need to configure our Ethernet ports for virtual-chassis functionality. The EX2200 does not have dedicated VCP ports so we need to convert some ethernet ports. As shown on the drawing, I will use the last four ports on each switch. To activate the ports for VC functionality, enter the following commands.

Before we can move on to connecting the cables, we have to set up the virtual chassis parameters on our primary routing engine.

We will set up the virtual-chassis in pre-provisioned mode, where we manually tie the serial ids to the member id. The first two switches will be configured as routing engines, one master and one backup, and the last switch will serve as a dumb old line-card. In my case, the virtual chassis configuration on routing engine 0 looks like this:

This command shows us the IDs, serials and roles of all the members. The far-right columns also show on which ports the neighbours are detected. You can use this to verify everything is properly cabled up.

A quick terse command also shows us all interfaces in the stack are available, except for the ones we dedicated as VCP ports.

root> show interfaces terse | no-more
Interface Admin Link Proto Local Remote
vcp-255/0/20 up up
vcp-255/0/20.32768 up up
vcp-255/0/21 up up
vcp-255/0/21.32768 up up
vcp-255/0/22 up up
vcp-255/0/22.32768 up up
vcp-255/0/23 up up
vcp-255/0/23.32768 up up
ge-0/0/0 up down
ge-0/0/0.0 up down eth-switch
ge-0/0/1 up down
ge-0/0/1.0 up down eth-switch
ge-0/0/2 up down
ge-0/0/2.0 up down eth-switch
ge-0/0/3 up down
ge-0/0/3.0 up down eth-switch
ge-0/0/4 up down
ge-0/0/4.0 up down eth-switch
ge-0/0/5 up down
ge-0/0/5.0 up down eth-switch
ge-0/0/6 up down
ge-0/0/6.0 up down eth-switch
ge-0/0/7 up down
ge-0/0/7.0 up down eth-switch
ge-0/0/8 up down
ge-0/0/8.0 up down eth-switch
ge-0/0/9 up down
ge-0/0/9.0 up down eth-switch
ge-0/0/10 up down
ge-0/0/10.0 up down eth-switch
ge-0/0/11 up down
ge-0/0/11.0 up down eth-switch
ge-0/0/12 up down
ge-0/0/12.0 up down eth-switch
ge-0/0/13 up down
ge-0/0/13.0 up down eth-switch
ge-0/0/14 up down
ge-0/0/14.0 up down eth-switch
ge-0/0/15 up down
ge-0/0/15.0 up down eth-switch
ge-0/0/16 up down
ge-0/0/16.0 up down eth-switch
ge-0/0/17 up down
ge-0/0/17.0 up down eth-switch
ge-0/0/18 up down
ge-0/0/18.0 up down eth-switch
ge-0/0/19 up down
ge-0/0/19.0 up down eth-switch
ge-1/0/0 up down
ge-1/0/0.0 up down eth-switch
ge-1/0/1 up down
ge-1/0/1.0 up down eth-switch
ge-1/0/2 up down
ge-1/0/2.0 up down eth-switch
ge-1/0/3 up down
ge-1/0/3.0 up down eth-switch
ge-1/0/4 up down
ge-1/0/4.0 up down eth-switch
ge-1/0/5 up down
ge-1/0/5.0 up down eth-switch
ge-1/0/6 up down
ge-1/0/6.0 up down eth-switch
ge-1/0/7 up down
ge-1/0/7.0 up down eth-switch
ge-1/0/8 up down
ge-1/0/8.0 up down eth-switch
ge-1/0/9 up down
ge-1/0/9.0 up down eth-switch
ge-1/0/10 up down
ge-1/0/10.0 up down eth-switch
ge-1/0/11 up down
ge-1/0/11.0 up down eth-switch
ge-1/0/12 up down
ge-1/0/12.0 up down eth-switch
ge-1/0/13 up down
ge-1/0/13.0 up down eth-switch
ge-1/0/14 up down
ge-1/0/14.0 up down eth-switch
ge-1/0/15 up down
ge-1/0/15.0 up down eth-switch
ge-1/0/16 up down
ge-1/0/16.0 up down eth-switch
ge-1/0/17 up down
ge-1/0/17.0 up down eth-switch
ge-1/0/18 up down
ge-1/0/18.0 up down eth-switch
ge-1/0/19 up down
ge-1/0/19.0 up down eth-switch
ge-2/0/0 up down
ge-2/0/0.0 up down eth-switch
ge-2/0/1 up down
ge-2/0/1.0 up down eth-switch
ge-2/0/2 up down
ge-2/0/2.0 up down eth-switch
ge-2/0/3 up down
ge-2/0/3.0 up down eth-switch
ge-2/0/4 up down
ge-2/0/4.0 up down eth-switch
ge-2/0/5 up down
ge-2/0/5.0 up down eth-switch
ge-2/0/6 up down
ge-2/0/6.0 up down eth-switch
ge-2/0/7 up down
ge-2/0/7.0 up down eth-switch
ge-2/0/8 up up
ge-2/0/8.0 up up eth-switch
ge-2/0/9 up down
ge-2/0/9.0 up down eth-switch
ge-2/0/10 up down
ge-2/0/10.0 up down eth-switch
ge-2/0/11 up down
ge-2/0/11.0 up down eth-switch
ge-2/0/12 up down
ge-2/0/12.0 up down eth-switch
ge-2/0/13 up down
ge-2/0/13.0 up down eth-switch
ge-2/0/14 up down
ge-2/0/14.0 up down eth-switch
ge-2/0/15 up down
ge-2/0/15.0 up down eth-switch
ge-2/0/16 up down
ge-2/0/16.0 up down eth-switch
ge-2/0/17 up down
ge-2/0/17.0 up down eth-switch
ge-2/0/18 up down
ge-2/0/18.0 up down eth-switch
ge-2/0/19 up down
ge-2/0/19.0 up down eth-switch
bme0 up up
bme0.32768 up up inet 128.0.0.1/2
128.0.0.16/2
128.0.0.32/2
tnp 0x10
bme0.32770 down up eth-switch
bme0.32771 down up eth-switch
dsc up up
gre up up
ipip up up
lo0 up up
lo0.16384 up up inet 127.0.0.1 --> 0/0
lsi up up
me0 up down
me0.0 up down inet
mtun up up
pimd up up
pime up up
tap up up
vlan up up
vlan.0 up up inet 192.168.1.1/24
vme up down

We can login to other chassis member for troubleshooting by using the following command. When you log in to a line card JunOS will alert you that it shouldn’t be used for configuration.

root> request session member 2
--- JUNOS 12.3R11.2 built 2015-09-24 11:14:53 UTC
root@:LC:2%
root@:LC:2% cli
warning: This chassis is operating in a non-master role as part of a virtual-chassis (VC) system.
warning: Use of interactive commands should be limited to debugging and VC Port operations.
warning: Full CLI access is provided by the Virtual Chassis Master (VC-M) chassis.
warning: The VC-M can be identified through the show virtual-chassis status command executed at this console.
warning: Please logout and log into the VC-M to use CLI.
{linecard:2}
root>

The out of band management interface, on the back of the switches, can use the same shared IP address across all VC members. To do so, you need to configure the vme interface with the desired management IP. In the background, all member’s management ports (otherwise known as me interfaces) are added to a special management VLAN which is tied to the layer3 vme interface.

All physical management interfaces can be connected to the OOB management VLAN, and the virtual chassis can respond to ARP requests on all of them.

Note – the VME interface will not work if you already have conflicting configuration on the me interface.

Because we have two routing engines, it’s also recommended to configure the commit synchronize option. When the configuration is committed on the primary routing engine, it will copy over to the backup routing engine. Both routing engines will then validate and activate the new configuration during the commit operation.

{master:0}[edit]
root# set system commit synchronize

Under the hood, the switches are running VCCP, a Juniper proprietary protocol largely based on IS-IS. If you’re interested, you can verify much of the protocol state from the command line, but I won’t go into detail.

Quoting Juniper here, “most high availability features, including Graceful Routing Engine switchover (GRES), Nonstop bridging (NSB), Nonstop active routing (NSR), and Nonstop software upgrade (NSSU), are not supported on an EX2200 Virtual Chassis.” Therefore, I would not rely an EX2200 virtual chassis as a core switch HA solution.. It does make sense using EX2200 virtual chassis in the access layer though, for simplified management and cross-switch etherchannel connectivity.

Removing Virtual-Chassis Configuration

A switch that was previously member of a virtual chassis may give you some headache when you’re trying to use it as a standard switch again. For example, VC ports can not be returned to their original state, or you might see that it stays in the previous role, even though you’ve removed the configuration. Here’s what seems to work for me.

Going through the JNCIS-ENT course, I realized that I had forgotten so much of the details about the different LSA types and all of its intricacies. Next to being able to answer trick exam questions, knowing the LSAs and their working helps a lot when dealing with complex OSPF problems or optimizing your network topologies. As I really needed a refresher for this exam and my upcoming NP refresh I created this simple topology and tried to document as much of my findings as possible.

Lab Topology

We have four routers interconnected via OSPF. The area configuration is as follows.

vMX1 – RID 1.1.1.1 – connected to area 12

vMX2 – RID 2.2.2.2 – connected to area 12 and backbone area 0

vMX3 – RID 3.3.3.3 – connected to backbone area 0 and area 34

vMX4 – RID 4.4.4.4 – connected to area 34

Below is the standard configuration that is running on router VMX2 – Router ID, area statements and active interfaces. The other routers have similar configuration for their respective interfaces and areas.

For now, until we move on to the Type 7 LSA, all areas are configured as standard areas. Before we start, here is an output of the LSA database on router VMX2. As it’s connected to two areas, it’s keeping two LSDBs. We’ll be using this router’s database for the first set of LSAs.

LSA Type 1 – Router LSA

The first LSA type is generated by every router participating in OSPF and lists all of the router’s links together with their associated cost, as well the OSPF neigbhours it has inside the area. Every router will flood a Router LSA for each area it is active in.

Looking at our OSPF database from before, router 2.2.2.2 has received a router LSA from router 1.1.1.1 and router 3.3.3.3 (Adv Rtr). Those LSAs are only seen in their respective areas, which demonstrates that a router LSA never leaves an area. We can further drill down to display only routers LSAs with the following command.

If we want to get more specific and view the contents of the actual LSA, we can do so by specifying the LSA ID and adding the extensive command. Let’s see what router 1.1.1.1 is telling us about itself.

The router is advertising its two links in the LSA (link count 2). The LSA identifier is the originating router’s RID. The first link is an OSPF type Transit where it has a neighbourship with router 172.16.12.2 (data). If we configured the interface-type to p2p, we would see this as the link type. The router also has a Stub link with prefix 1.1.1.1/32, which means that this network contains only one router.

LSA Type 2 – Network LSA

The second LSA type is the Network LSA, which is generated by the Designated Router on a multi-access (broadcast or non-broadcast) segment. It lists all of the routers connected to the segment. It is generated only by the Designated Router to prevent duplicate LSAs.

Our router 2.2.2.2 has received the following network LSAs in area 12:

From this LSA, we can tell that the network has a /24 mask and that it has router 1.1.1.1 and 2.2.2.2 attached to it. It does not include a cost or metric for the routers, because from the network’s point of view, the cost to the attached routers is zero. If we wanted to know more information about a particular router, we can use the attached router ID which in turn refers to the router LSA we looked at earlier.

LSA Type 3 – Network Summary

This LSA type is generated by Area Border Routers and flooded into a particular area to represent destinations outside of the area. In the opposite direction, the ABR will also advertise prefixes from a non-backbone area back into backbone area 0 with a network LSA. They are flooded into areas where the destination prefix was not found. One thing worth noting is that this only counts for inter-area destinations learned inside the OSPF AS. Routes external to OSPF will use a different LSA type which I’ll cover later.

Again, we will view the contents of router 2.2.2.2’s database for area 12.

Router 2.2.2.2, as the area border router, has generated these LSAs itself (*) and flooded them into area 12. Comparing this to the diagram and the full LSA database, we can tell that it has created network summaries for Router, Network and Summary LSAs inside area 0.

The LSA ID matches the destination network’s prefix. In this case, router R2 knows about the network 172.16.34.0/24 and added a cost of 2 to reach it. Router 1.1.1.1 will add this value to its own cost to ABR 2.2.2.2 to determine the ultimate cost for the route.

LSA Type 4 – ASBR Summary

When a router is advertising routes from sources external to the OSPF AS, it is called an Autonomous System Border Router (ASBR). Like any other router, it will generate a router LSA for itself (Type 1) into its own area but with a special flag E set. When this LSA is received by the other ABR, the router LSA will be converted into a Type 4 LSA when it is flooded into other areas. The LSA is flooded throughout the entire OSPF Autonomous System and lets other routers know how to reach the ASBR.

To demonstrate, I have configured router 4.4.4.4 to redistribute route 10.4.0.0/24 from its loopback interface as an external route. First, define the export policy as a policy-statement.

LSA Type 5 – AS External LSA

When the ASBR imports routes from outside the Autonomous System, either through static or protocol redistribution, it will flood them into its area as AS External LSAs. This type of LSA is flooded throughout the OSPF topology except for stub areas.

Router 2.2.2.2 has received the external route from ASBR router 4.4.4.4.

Router 2.2.2.2 has now learned about the external route 10.4.0.0/24 and will need to recursively use ASBR 4.4.4.4 to reach it. Because the route was injected with the default Type E2, inter-area OSPF link cost is not taken into consideration, and the associated cost is zero as injected by router 4.4.4.4. Before we wrap up on this LSA type, the external route types might need some clarification.

E1 and E2 type routes

External routes or Type 5 LSAs can be imported as either Type 1 or Type 2 routes. When injecting as E2 routes, the autonomous system’s internal cost metrics are not taken into consideration when the LSA is flooded throughout the topology. This the default behaviour and it’s fine in simple stub topologies, but as OSPF is by design a cost-based protocol, using E1 routes makes more sense. This will make the routers combine the route’s original metric with the cost to reach the ASBR (Type 4 LSA), resulting in the total route cost. Let’s demonstrate…

The external route type is configured in the routing-policy. Here’s an example of my export policy before making any changes.

LSA Type 7 – NSSA External

When an area is configured as a stub, external routes or Type 5 LSAs will not be allowed in and commonly replaced by one default route. This reduces the LSDB size on the stub routers and keeps the topology simple, but there might be cases where you do need external routes to originate in those stub areas. For these cases, the Not-So-Stubby Area was designed. This allows you to place an ASBR in the stub area and still import external routes, but this time with a special LSA type. When it traverses to the backbone area, the stub-to-backbone ABR will convert the NSSA External LSA into a standard Type-5 External LSA.

To demonstrate, I have converted area 34 to a NSSA on both router 3 and router 4.

Interestingly, the advertising router is no longer 4.4.4.4 but 3.3.3.3, as this was the one that generated the Type 5 LSA. Because this router is now also acting as an ASBR, it advertised its own Router LSA with the E bit set which is into an ASBR summary LSA by router 2.2.2.2 when it is sent into area 12.

Modern Junos devices have dual boot partitions, each with their own copy of the operating system. This ensures that the device will boot if storage or other boot-related issues are detected on the primary boot partition.

However, when you manually update the software, it is only updated on one of the partitions which is then set as the boot partition. The second, original, partition will keep running on the previous version until it is manually updated as well. This might be an advantage if you are testing a new software version and want to quickly roll back to the old one. It could also wreak havoc if you are inadvertently falling back to a pre-historic software version that is missing or not compatible with some of the features you’ve since enabled. If you have found a stable software version, it’s best to keep both partitions in sync. Here’s how to do it…

Identifying a software mismatch

The first hint is given at boot time. Right before the login prompt and banner, the console will alert you of the software version disparity.

As you can see from the output, we are currently running on partition /dev/ad0s2a, which has a newer software version than the first partition /dev/ad0s1a.

Cloning the primary partition

To get the software version from our now-primary partition over to the backup, the system will first format the backup partition and then clone the contents. This process is initiated with the command below.

netprobe@netfilter> request system snapshot slice alternate
Formatting alternate root (/dev/ad0s1a)...
Copying '/dev/ad0s2a' to '/dev/ad0s1a' .. (this may take a few minutes)
The following filesystems were archived: /

After the cloning process you might need to reboot the device, depending on the model. If all went well, you will no longer see the warning prompt for version mismatch:

Can’t believe it has already been two months since I last posted on my blog… The last two weeks of October I had to go into full-on study mode for the JN0-332 exam so I had to pause on the write-ups for a while. Fortunately the hard work paid off and after a good six months of study and labbing, with a hot summer in between, I sat the JN0-332 on the 26th of October and passed it with 83 percent.

The exam itself was very fair and covered all the topics on the blueprint and in the freely available Juniper Study Guides. I have sat a few “other vendor” exams where multiple questions caught me off-guard and were definitely not included in the related cert guides. Not really the case with this Juniper exam though, so hats off to Juniper for delivering a consistent test.

Another great thing is that Juniper lets you go back through the questions when you’re done. You can also mark questions, which you’re uncertain about, for review. When you’re done, and if you still have some time on the counter, you can run through it once more to fill in the gaps. Or perhaps one of the later questions made you rethink your answer on an earlier question. I’m certain this approach will earn test-takers some points.

The Score Report is pretty straight-forward. It breaks the exam down into the main topics, the total number of questions, number of correct answers and your total percentage. My worst scores were on Firewall User Authentication, which to be fair only had a couple of questions, and UTM, which I couldn’t fully simulate in my SRX100 and vSRX lab. Fair to say I wasn’t surprised with the outcome, but still very satisfied overall.

For anyone interested in the JNCIS-SEC certification, here is what I used to pass the exam…

JNCIS-SEC Study Guides

Probably the most important source of information for this exam, Juniper is offering free Study Guides for all Specialist tracks on their site. You will need an account but registration is free so there really is no excuse. Follow this link

The first PDF covers SRX basics, Security Zones, Policies, User Authentication, NAT, IPsec and Clustering. The second PDF is dedicated to the UTM features.

Juniper SRX Series – By Brad Woodberg, Rob Cameron

I bought this book early on, when I first encountered the SRX at a new job. Weighing in at about 1000 pages, it’s the perfect reference for anyone dealing with the SRX on a daily basis. It’s not something you’ll read front to back though, and I’ve found myself reading through the chapters for whatever feature I need at a certain point. For example, the chapter on Screens gives you an in-depth review of each of the features, the attacks for which they were written, and so on. Highly recommended! I’ve also found that you can read the book online

Juniper vSRX – Firefly

The virtual edition of the SRX firewall. You can run a trial version on your Hypervisor and even try the Advanced Features for 60 days. More information here.

Three SRX100Bs

I bought three of these boxes for cheap on eBay. They don’t have the high memory so don’t support UTM or IPS, but they are great for configurations that are hard to do on the virtual appliance, like aggregated interfaces and clustering. Added bonus is that they also support routing and switching so they can be used for the ENT track also.

Junos Genius app

The official Juniper app for JNCIA and Specialist level exams. Whenever I had a few minutes off I would go through some practice questions. Very good to keep your mind on the content and memorise some of the technical details. I just wish they had a PC edition! 🙂

Next challenge?

For a few weeks I was working on the Brocade Certified vRouter Engineer certification. I already touched some Vyatta/VyOS routers so figured I might as well try the free exam. Unfortunately, when I tried to book the exam, I found that the Brocade voucher had expired. I tried mailing Brocade but to no avail – they confirmed that the promotion was no longer running. That sort of halted the BCVRE endeavour…

For a good two weeks now I’ve been going through the JNCIS-ENT study guides. Bought myself a couple EX switches which will be complementing the SRX and vSRX I already have in the lab. It should also be a good refresh of the routing & switching topics as my CCNP is up for renewal in December 2016. As I did for JNCIS-SEC, I will be writing up my ENT labs on the blog.

If you are interested in the JNCIS-SEC certification, and have any other questions, feel free to post them in the comments section. Thank you for reading!

I came across an interesting one today, where a Cisco Zone-Based Firewall needed to be reconfigured to serve DHCP for a segment connected to it in a zone called “Guest”. It already had a policy-map configured for traffic from Guest to Self, which had ACLs for SSH management.

First I tried adding these two lines to that ACL, in the existing class-map

permit udp any any eq bootpc
permit udp any any eq bootps

Although I did see the ACL match counters increment, DHCP was not handing out addresses yet. A quick search led me to this page on the Cisco site. In the last paragraph, they state the following:

If the routers’ inside interface is acting as a DHCP server and if the clients that connect to the inside interface are the DHCP clients, this DHCP traffic is allowed by default if there is no inside-to-self or self-to-inside zone policy.
However, if either of those policies does exist, you need to configure a pass action for the traffic of interest (UDP port 67 or UDP port 68) in the zone pair service policy.

In my case, there was a policy configured but with the action set to inspect. To fix it, I had to add a new ACL and class-map to the Guest-Self policy-map.

New ACL that matches the DHCP traffic. The source and destination is set to any because of the DHCP request format.

Most deployment guides for SRX clusters out there focus on standard two-port deployments, where you have one port in, one port out and a couple of cluster links that interconnect and control the cluster. Unfortunately, in that design, one simple link failure will usually make the cluster fail over. Coming from the R&S realm, I am very careful when it comes to physical redundancy so I wanted to figure out a way to get this working with Etherchannels.

After a lot of reading and some trial and error, I ended up with a working solution. Probably not perfect, but definitely more redundant. So, in this post we will get the topology below configured and afterwards do some failover testing.

Basic Cluster Setup

The commands below will get the basic cluster up and running, assuming you have already configured the cluster and node ids.

set system root-authentication encrypted-password "$1$FQl4d.NC$l25c0bDGr5aPq9ZHx0R.S."

set groups node0 system host-name FW01A
set groups node1 system host-name FW01B

Layer3 Etherchannel configuration on the SRX

The physical ports will be bundled in two reth interface. Per reth interface, we will add two physical ports per cluster node, which yields a total of four ports. However only two links will ever be actively forwarding traffic – those on the active RG.

It is important that the links from every cluster nodes are terminated on separate etherchannels on the switches. Otherwise the switches would also load-balance the traffic over the two non-forwarding ports, as documented here…
In my topology, both switches have a Port-Channel 11 and 12, going to their own cluster node.

Pay special attention to the configuration of the reth interfaces. First, we tie the redundant interfaces to our redundancy-group 1, in which we will later control the failover conditions.

The minimum-links command determines how many interfaces must be up before the LACP bundle is considered up. Although we have two interfaces per cluster, we still want traffic forwarded in a worst-case scenario. Setting minimum-links 1 will keep the Etherchannel up even in the unlikely event of having three physical ports down.

By adding the vlan-tagging command, and adding a logical subinterface (unit 255) with vlan-id 255 specified, we are creating a tagged L3 Etherchannel. In other words, the SRX is expecting packets for sub-interface reth1.255 to be tagged with a dot1q value of 255. The unit number can be any number you like, but it’s best to keep the unit number and the dot1q value aligned – for your own sanity! 🙂

Security Zones and Policies

To check basic connectivity and later run some failover tests, I have added the following configuration for the Security Zones, Policies and Source NAT. In a production environment, you probably won’t be allowing ping.

Layer3 Switch Configuration

Now that we have our layer 2 connectivity, we can move on to the IP addressing. On the L3 switches, I will configure the SVIs in the transit network, and run HSRP between them with hello/hold timers of 1 and 3 seconds. This would allow for a reasonable failover time in case of an outage.

After many bits of configuration, our cluster is live so we can start implementing some failover mechanisms.

Configuring the interface-monitor

When the interface-monitor is configured, it sets a threshold value of 255 to each redundancy group. Each interface is assigned a custom weight for the redundancy group, which is detracted from the threshold if the interface goes physically down. When the threshold reaches zero, the redundancy group and all its objects fail over.

Note –a commmon mistake (trust me) is to mix up the interface monitor weights with the RG priorities. These are two separate values, the interface monitor threshold is always 255 by default.

In my lab scenario, I will give each port a value of 128. Two physical links down will trigger a failover to node 1. This is the final configuration for redundancy group 1:

We lost one packet during the failover with a timeout of two seconds, which is not bad at all. The switchover is stateful so TCP connections should be able to handle this just fine. Let’s see what happened on the SRX…

Our interface monitor shows two interfaces down that had a weight of 128. The threshold should now have reached zero which retired node0 from the cluster.

Oct 6 19:43:01 Interface fe-0/0/1 is going down
Oct 6 19:43:01 fe-0/0/1 interface monitored by RG-1 changed state from Up to Down
Oct 6 19:43:01 intf failed, computed-weight -256
Oct 6 19:43:01 RG(1) priority changed on node0 120->0 Priority is set to 0, Monitoring objects are down
Oct 6 19:43:01 Successfully sent an snmp-trap due to priority change from 120 to 0 on RG-1 on cluster 1 node 0. Reason: Priority is set to 0, Monitoring objects are down
Oct 6 19:43:01 Current threshold for rg-1 is -1. Setting priority to 0. Failures: interface-monitoring
Oct 6 19:43:01 Both the nodes are primary. RG-1 PRIMARY->SECONDARY_HOLD due to preempt/yield, my priority 0 is worse than other node's priority 1
Oct 6 19:43:01 Successfully sent an snmp-trap due to a failover from primary to secondary-hold on RG-1 on cluster 1 node 0. Reason: Monitor failed: IF
Oct 6 19:43:01 updated rg_info for RG-1 with failover-cnt 1 state: secondary-hold into ssam. Result = success, error: 0
Oct 6 19:43:01 reth0 ifd state changed from node0-primary -> node1-primary for RG-1
Oct 6 19:43:01 reth1 ifd state changed from node0-primary -> node1-primary for RG-1
Oct 6 19:43:01 updating primary-node as node1 for RG-1 into ssam. Previous primary was node0. Result = success, 0
Oct 6 19:43:01 Successfully sent an snmp-trap due to a failover from primary to secondary-hold on RG-1 on cluster 1 node 0. Reason: Monitor failed: IF
Oct 6 19:43:01 printing fpc_num h0
Oct 6 19:43:01 jsrpd_ifd_msg_handler: Interface reth0 is up
Oct 6 19:43:01 reth0 from jsrpd_ssam_reth_read reth_rg_id=1
Oct 6 19:43:01 printing fpc_num h1
Oct 6 19:43:01 jsrpd_ifd_msg_handler: Interface reth1 is up
Oct 6 19:43:01 reth1 from jsrpd_ssam_reth_read reth_rg_id=1
Oct 6 19:43:02 SECONDARY_HOLD->SECONDARY due to back to back failover timer expiry for RG-1
Oct 6 19:43:02 Successfully sent an snmp-trap due to a failover from secondary-hold to secondary on RG-1 on cluster 1 node 0. Reason: Back to back failover interval expired
Oct 6 19:43:02 updated rg_info for RG-1 with failover-cnt 1 state: secondary into ssam. Result = success, error: 0
Oct 6 19:43:02 Successfully sent an snmp-trap due to a failover from secondary-hold to secondary on RG-1 on cluster 1 node 0. Reason: Back to back failover interval expired

What is interesting is that the SRX is explicitly sending an SNMP trap for these events, so make sure you have a good monitoring tool and trap receiver in place, preferably with alerting.

As the ultimate test, I will unplug interface fe-1/0/0, the first port of node1, which will make the whole LACP bundle reth0 run on just one link. If we had configured minimum-links 2 this action would bring down the whole reth bundle

For anyone designing a network solution with high-availability in mind, this is all very promising. Even with 75% of our physical links down, the reth will stay functional and forward traffic.

I have now reconnected all cabling for a last question I’ve been pondering about – how does the interface monitor react when physical ports go down on both nodes? Suppose we are running our trunks to a chassis or VSS and lose a linecard or stack-member? Does the interface weight count globally and trigger a failover? Let’s find out…

Disconnecting fe-0/0/0 and fe-1/0/0, the first port on each node which is in reth0

root@FW01A> show interfaces terse | match "fe-0/0/0|fe-1/0/0"
fe-0/0/0 up down
fe-0/0/0.111 up down aenet --> reth0.111
fe-0/0/0.32767 up down aenet --> reth0.32767
fe-1/0/0 up down
fe-1/0/0.111 up down aenet --> reth0.111
fe-1/0/0.32767 up down aenet --> reth0.32767

Both links, which both had a weight of 128, are now down but RG1 is still rolling along fine on node0 and the priority is not set to 0. This does prove that the interface-monitor value is tied to the node on which the interface resides.

Conclusion

This turned into quite a lengthy post but hopefully demonstrated the benefits of having an Etherchannel over the standard single-port configurations you’ll find in most documentation. Bundling your physical interfaces in a LAG gives you that extra layer of physical redundancy with the added benefit of load sharing on the links. We were able to “lose” 75 percent of our revenue ports without any significant impact. Adding the tagged Layer3 interfaces also gives us the option to add more logical units in the future, which can in turn be assigned to their own routing-instances and zones if you’re dealing with a large-scale or multi-tenant environment.

If this was helpful for you or if you have a remark, please let me know below in the comments! Thanks for reading 🙂